/va/payments?CompanyCode=&RequestID= OR /va/payments?CompanyCode=&CustomerNumber=

Get status of payment by CompanyCode and CustomerNumber or RequestID

Try our APIs using Sandbox. We provide sandbox with dummy and static datas. All the parameter value that can be used to try our sandbox are written on the blue box in this Documentation.

Authentication

OAuth2.0

BCA APIs is using OAuth 2.0 as the authorization framework. To get the access token, you need to be authorized by client_id and client_secret. To learn more about the OAuth 2.0 authorization framework, you can read the RFC6749 Documentation.
client_secret dan client_id are used for authentication using OAuth 2.0. You can generate client_id and client_secret after sign in and create application.

Do not share your client_secret!This token act like password, keep it secret and secure, should anyone obtain this information, immediately reset or revoke your client_secret.

Access Token

access_token is an opaque string token that identify the user of the API. This token is required each time an application call API. There are several way to obtain an access_token, which will be described bellow.

Access token must be stored in a secure storage!Since access_token is portable which mean that once its obtained any request with valid credentials will be considered valid, any agent (mobile device, web browser, or server) could call API requests.

Obtaining Access Token

Access token can be obtained in many way, depend on the grant_type of the application. To access all the services in this sandbox, you will need the access token with grant_type = client_credentials.

client_credentials grant will provide application access to API without requiring any user credential. Any call requested using access_token obtained using this method are made on behalf of the application instead of the user.

This grant type is designed to be used by server to server call. In order to obtain access_token a request must be made with following specification

Request

Setting

Value

HTTP Method

POST

Path

/api/oauth/token

Host

sandbox.bca.co.id

Request Headers

Name

Format

Mandatory

Description

Authorization

Basic base64(client_id:client_secret)

Yes

Content-Type

application/x-www-form-urlencoded

Yes

Payload

Field

Data Type

Mandatory

Description

grant_type

String

Yes

value = client_credentials

Result of the request will contains following information:

Response

Field

Data Type

Description

access_token

String

your access_token

token_type

String

default is Bearer

expires_in

String

access_token validity, in seconds

scope

String

application scope/permission granted to application

Signature

Signature is used by BCA to verify that your request is not altered by attackers.

The outline of the HMAC validation process is as follows:

Retrieve Timestamp from HTTP Header (X-BCA-Timestamp)

Retrieve the API Key form HTTP Header (X-BCA-Key)

Lookup the API Secret corresponding to the received key in internal store

Details about the data used to derived The StringToSign is explained in the next sections.

HTTP Method

HTTP Method is HTTP Method such as GET, POST, PUT, PATCH, DELETE.

HTTP Method must be given in upper case.

Relative URL

Relative URL is the URL after the hostname & port number.

Relative URL alse includes the query string and must begin with a slash character. Example

Full URL

Relative URL

https://example.com/api/v2/sample?param1=value1&param2=value2

/api/v2/sample?param1=value1&param2=value2

https://example.com or https://example.com/

/

The Relative URL must be URI-encoded according to the following rules:

Do not URI-encode forward slash ( / ) if it was used as path component.

Do not URI-encode question mark ( ? ), equals sign ( = ), and ampersand ( & ) if they were used as query string component: as separator between the path and query string, between query parameter and its value, and between each query parameter and value pairs.

Percent-encode all other characters not meeting the above conditions using the format: %XY, where X and Y are hexadecimal characters (0-9 and uppercase A-F).
For example, the space character must be encoded as %20 (not using ’+’, as some encoding schemes do) and extended UTF-8 characters must be in the form %XY%ZA%BC.

The query string parameters must be re-ordered according to the following rules:

Sorted by parameter name lexicographically

If there are two or more parameters with the same name, sort them by parameter values.
Example :

Relative URL

Sorted Relative URL

/api/v2/sample?A-param=value1&Z-param=value2&B-param=value3

/api/v2/sample?A-param=value1&B-param=value3&Z-param=value2

AccessToken

AccessToken is an OAuth2.0 access token retrieved from the HTTP “Authorization” header

RequestBody

Canonicalization Example.

{"Test1":"str Val","Test2":1}

After canonicalized, the above JSON will become the following.

{"Test1":"strVal","Test2":1}

RequestBody need to be hashed with SHA-256.

If the RequestBody is empty, set it to empty string.

RequestBody should be canonicalized before computing the SHA-256 hash.

The canonicalization of the request body is performed according to the following rules:

All carriage return characters, “\r”, are stripped

All line feed characters, “\n”, are stripped

All tab characters, “\t”, are stripped

All whitespace characters, “ ”, are stripped

Timestamp

The timestamp must be presented in ISO8601 format (yyyy-MM-ddTHH:mm:ss.SSSTZD)

Format

Description

yyyy

four-digit year

MM

two-digit month (01=January, etc.)

dd

two-digit day of month (01 through 31)

T

literal ’T’ as date and time separator

HH

two digits of hour (00 through 23) (am/pm NOT allowed)

mm

two digits of minute (00 through 59)

ss

two digits of second (00 through 59)

SSS

three digits representing millisecond (000 through 999)

TZD

time zone designator (+hh:mm or -hh:mm)

Headers

To successfully communicate with BCA Banking API, you must provide the following headers in every API request:

Get your KlikBCA Bisnis account balance information with maximum of 20 accounts in a request.
Your Request must contain following information:

Request

Field

Data Type

Mandatory

Description

CorporateID

String(10)

Y

Your KlikBCA Bisnis Corporate ID

AccountNumber

String(10)

Y

Account(s) Number

Please use this value for sandbox:CorporateID : BCAAPI2016 AccountNumber : 0201245680 or 0063001004We have updated this API on November 2017:
Previous URI: /banking/v2/corporates
Current URI : /banking/v3/corporates

Response

Field

Data Type

Description

AccountDetail Data Success

AccountNumber

String(10)

Account Number

Currency

String(3)

Currency of the account (IDR, USD, etc)

Balance

String(16)

Balance of the account

AvailableBalance

String(16)

Available balance to be used. Format: Number, 13.2

FloatAmount

String(16)

Amount of deposit that is not effective yet (due to holiday, etc). Format: Number, 13.2

HoldAmount

String(16)

Hold amount that cannot be used. Format: Number, 13.2

Plafon

String(16)

Credit limit of the account. Format: Number, 13.2

AccountDetailDataFailed

English

String(100)

Error message in English

Indonesian

String(100)

Error message in Bahasa Indonesia

AccountNumber

String(10)

Account Number

2. Account Statement

GET banking/v3/corporates/{CorporateID}/accounts/{AccountNumber}
/statements?StartDate=yyyy-MM-dd&EndDate=yyyy-MM-dd

Request

Start Date of the account statement that you wants to get. Format: yyyy-MM-dd

EndDate

String(10)

Y

End Date of the account statement that you wants to get. Format: yyyy-MM-dd

Please use this value for sandbox:
CorporateID : BCAAPI2016
AccountNumber : 0201245680
Available data between 2016-08-29 to 2016-09-01. We set the today date (ONLY FOR Account Statement service): 2016-09-01.
We have updated this API on November 2017:
Previous URI: /banking/v2/corporates
Current URI : /banking/v3/corporates

Result of the request will contains following information:

Response

Field

Data Type

Description

Currency

String(3)

Currency of the account (IDR, USD, etc)

StartBalance

String(16)

Balance of the account at the start date. Format: Number, 13.2

StartDate

String(10)

Start Date of the account statement that you wants to get. Format: yyyy-MM-dd

EndDate

String(10)

End Date of the account statement that you wants to get. Format: yyyy-MM-dd. If the end date is not a working day, then end date will changed automatically to the next working day.

You can send fund transfer instructions to BCA using this service. The source of fund transfer must be from your corporate’s own deposit account. The recipient may be any deposit account within BCA.
Your Request must contain following information:

Payload

Field

Data Type

Mandatory

Description

CorporateID

String(10)

Y

Your KlikBCA Bisnis CorporateID

SourceAccountNumber

String(10)

Y

Source of Fund Account Number

TransactionID

String(8)

Y

Transcation ID unique per day (using UTC+07 Time Zone). Format: Number

You can send fund transfer instructions to BCA using this service. The source of fund transfer must be from your corporate's own deposit account. The recipient may be any deposit account within domestic bank except BCA.
Your Request must contain following information:

Headers

Field

Data Type

Mandatory

Description

ChannelID

String(5)

Y

Channel Identification Number (Ex: 95051 for KlikBCA Bisnis)

CredentialID

String(10)

Y

Your Channel Identity (ex: Your KlikBCA Bisnis CorporateID)

Payload

Field

Data Type

Mandatory

Description

TransactionID

String(8)

Y

Transaction ID unique per 90 days (using UTC+07 Time Zone). Format: Number and must be 8 digits

{"Authentication":{"CorporateID":"BCAAPI2016","AccessCode":"Kw5oTu5th6SH44Y8ww","BranchCode":"BCA001","UserID":"BCAUSERID001","LocalID":"40115"},"SenderDetails":{"FirstName":"BLUMA","LastName":"PINTO","DateOfBirth":"","Address1":"DUBAI","Address2":"","City":"DUBAI","StateID":"","PostalCode":"","CountryID":"AE","Mobile":"","IdentificationType":"","IdentificationNumber":""},"BeneficiaryDetails":{"Name":"TEST","DateOfBirth":"","Address1":"Dubai","Address2":"","City":"DUBAI","StateID":"ID","PostalCode":"","CountryID":"ID","Mobile":"6212365478922","IdentificationType":"","IdentificationNumber":"","NationalityID":"","Occupation":""},"TransactionDetails":{"PIN":"477634423","SecretQuestion":"","SecretAnswer":"","CurrencyID":"IDR","Amount":"150000.00","PurposeCode":"030","Description1":"","Description2":"","DetailOfCharges":"OUR","SourceOfFund":"Money transfer for family needs.","FormNumber":"477634423"}}

{"BeneficiaryDetails":{"Name":"TEST"},"TransactionDetails":{"PIN":"477634423","CurrencyID":"IDR","Amount":"150000.00","Description1":"","Description2":"","FormNumber":"477634423","ReferenceNumber":"CITIID01000NON16040000099","ReleaseDateTime":""},"StatusTransaction":"0003","StatusMessage":"Ready to Encash"}

Response

Field

DataType

Mandatory

Description

StatusTransaction

String(4)

Y

ResponseCode and Sub- ResponseCode of transaction

StatusMessage

String(100)

Y

Description of StatusTransaction

BeneficiaryDetails

Name

String(35)

N

Beneficiary’s name

TransactionDetails

PIN

String(35)

N

Transaction PIN number. If not available, BCA will provide it

CurrencyID

String(3)

N

Transaction currency between FI and FIRe based on contract (setting FI Country in TPS)

Amount

String(20)

N

Transaction nominal

Description1

String(35)

N

First description

Description2

String(35)

N

Second description

FormNumber

String(16)

N

FI Ref

ReferenceNumber

String(25)

N

FI Ref

ReleaseDateTime

String(24)

N

Transaction release time. Format : YYYY-MM-DDThh:mm:ssTZD

6. Amendment Cash Transfer

Provides service for Amendment “Cash Transfer” to Non account holder.
Yout request must contain following information:

You can see the list of payment status that are owned by the customers. The data will be automatically queried between D-day (hari H) until D-2 day (H-2 / the day before yesterday), with maximum records returned are 10 rows.
Your Request must contain following information:

Request

Field

Data Type

Mandatory

Description

CompanyCode

String(5)

Y

BCA create a unique code to identify Company who registered in BCA.

CustomerNumber

String(18)

Y

VA CustomerNumber (the bill number given by the Merchant.

RequestID

String(30)

Y

Unique transaction identifier which generated by BCA and part or the flag payment response.

Result of the request will contains following information:

Response

Field

Data Type

Description

TransactionData

TransactionDate

String(29)

Time when customer do the payment.

TotalAmount

String(16)

Total amount of transaction from merchant

PaidAmount

String(16)

Total amount of paid transaction by the customer (can be different for multi bills transaction)

PaymentFlagStatus

String(10)

Status of flagging to merchant.

RequestID

String(30)

Unique ID generated by BCA

Reference

String(15)

Reference ID for payment. (only for non multi bills)

DetailBills

BillNumber

String(18)

Reference ID for each bills in a transaction. Generated by Merchant

BillReference

String(15)

Reference ID for each bills in a transaction. Generated by BCA. (multi settlement and multi bills)

When Transaction Type (TxnType) value is NREV, the value of External Reference (ExternalReference) will be the same with the reversed transaction (the original transaction with same ExternalReference number but TxnType is NTRF).